Yes, I know I am quite late getting to this, but I was waiting last year to see what would be published and then let this slip off my radar, so to speak.
What I wish to be sure I understand is that nothing else in the database, like PMs, was compromised during the data breach last year.
I have looked about here and there on this site and the blog and do not see any further specifics after the initial blog post and then in that “relaunch” thread. If I missed something, please forgive me.
You would have received and email from Avast explaining what happened and further information was given when logging in after the forum was reinstated about the new logon process and changing your password or something along those lines, like Bob mentioned it’s water under the bridge.
Please excuse me, but are you posting as a representative of the group you belong to, thus as a representative of the company? Meaning the answer to my question is: No, the PMs were not compromised.
Thank you for confirming the question had not previously been asked.
As a member of a special group here on a site dedicated to raising average Net user awareness of security issues the point that the question had not yet been asked should bother you. I mean, if you are serious in what your group members should be trying to accomplish here.
This issue only affects our community-support forum. Less than 0.2% of our 200 million users were affected. No payment, license, or financial systems [b]or other data was compromised[/b].
Please excuse me, Pondus, but one of your colleagues very certainly informed me that only Avast Team members were able to make statements that can be accepted as a company statement. Is that true or not?
You quoting the blog entry does not definitively answer my question.
The only definitive answer that would be acceptable here would be a company representative categorically stating the answer is: No, the database was not compromised except for what is noted in the blog post of May 26th, 2014.
If, on the other hand, Pondus, you are authorized to speak on behalf of the company, then I apologize.
You see, it is a stretch I have a hard time accepting that a hacker (or hackers) could access the database to get what is already listed in that blog post, yet could not get such things as PMs or IP addresses. The tables within the database are usually all there set together.
In addition, subsequent investigation after the blog post might have turned up new information.
So, I ask. It is a legitimate concern that should already have been asked on this board.
EDIT: Thank you to the Avast Team member that just posted a clarification of policy.
“We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you. However, this is an isolated third-party system and your sensitive data remains secure.”
Okay, I see all these special group members coming onto this thread blasting away at me with the start of this ‘blast away at ManyQs’ with that post up there about “inquisitions” which I am now aware of management’s acceptance of that bit of kindness blasted at me, so how about we do this in the terms of security, which happens to be the business of this company. When it comes to security what exactly is wrong with the concept of verify?
The concept of “verify” is only used in certain situations? Like here, we are to automatically take the blog post all are citing that was done on the Monday right after the data breach was discovered – we are supposed to accept that because of what? Because it was this company that posted it? Because it is Avast the concept of verify goes out the window? We don’t see any reassurance posted a week later, for example, that states we have double-checked and want to assure you our original appraisal was correct and only such-and-such was compromised. Oh no, the idea of doing that is completely alien to this community’s elite, right?
So alien that the concept of being nice to our fellow community members is also tossed out the window and such posts like that first one up there right after Bob’s – well, that is acceptable because we all know ManyQs is a jerk and deserves to be dumped on. Yep, ManyQs has it coming to him and the sooner we can hound him out of here the better it is for the community.
If we are careful in researching this situation we see that the sentence about no financial data, etc. applies to everything outside of that forum platform. And that .2 percent is just a PR ploy – a smokescreen. And the company media specialists know that.
In addition, as of when that blog post went up and that individual also released a letter to a security expert on the Net the company still did not know how the hack was done.
As such, a question as to whether the PMs were compromised is quite legitimate. In fact, it is a question that should be of concern to every community member here. And the repeated attempts to state things like it was too long ago to be a bother now is hogwash.
Why is it hogwash? Because if the PMs were compromised and the company did not inform the community members as soon as they knew, that speaks of extreme disrespect!
Now, one business day has certainly passed in the city where this company has its headquarters and still no answer here.
If somebody at that company thinks I am just going to fade away, you best think again. And if you think banning me for asking this question will do the trick, think again.
What’s going to happen if I don’t get an answer within about one or two more business days there, is, ONE: I am going to first go to the embassy of the Czech Republic and file a complaint and then, TWO: I am going to send a letter to whatever law enforcement agency at the national level in that country handles such matters and explain that I tried to use this support forum to get answers and nothing happened. I am also going to see what EU regulations might apply and see whether a complaint to the appropraie EU regulatory agency may be useful.
I will get the answers, no matter how long it takes. If I have to spend money to get answers through an attorney’s office in the Czech Republic, so be it. Whatever it takes, I’m going to do it. And I have good reason for being stubborn about this. This speaks to a bigger issue. An issue that is much bigger than any one company.
The answer to your question whether the PM database was also compromised is: “We don’t know”.
We know that the attacker broke into the forum server, and then we know that the forum user database was being offered for sale in some underground chat rooms (and we then got hold of it and confirmed it was indeed genuine). The PMs were not part of it, but that by itself is of course no proof that the attacker wasn’t able to steal them as well.
BTW this is what typical happens with hacks in general – very little evidence about what actually happened…
